Home page logo
/

nanog logo nanog mailing list archives

Re: SMURF amplifier block list - READ THIS
From: Dax Kelson <dkelson () inconnect com>
Date: Wed, 15 Apr 1998 13:04:19 -0600 (MDT)

On Tue, 14 Apr 1998, Karl Denninger wrote:

So I send one packet over my ISDN line, and the amplifier sends 200 copies
of it to the victim.  I can effectively multiply the bandwidth of my 128kbps
circuit 200-fold, which is TWENTY FIVE MEGABITS of bandwidth (!)

Now, since I am smart, I use an ICMP ECHO with a payload of all zeros.  
STAC compresses this 1024-byte packet about 10:1, since its all one byte.
I can now source ~90Mbps from an ISDN connection!  This makes even a modem
dial connection quite dangerous in that with compression and careful
selection of the payload you can source ~10-20Mbps of smurf from a MODEM.


This isn't quite as bad as it sounds, because in nearly all cases, the
*OUTGOING* bandwidth from the amplification network will be *MUCH* less
then the aggregate traffic produced by all the devices on the
amplification LAN. 

So what ends up happening in most cases, is that 20-90Mpbs of traffic
slams into the router interface capable of only 1.5/3/6/9Mbps of outgoing
traffic.  Still, though a modem or ISDN connection being able to summon
1.5-9Mpbs is quite a problem.

The *ONLY* long-term fix for smurfing is to prohibit directed broadcasts, so
that amplification of the attack cannot be done.  The only means available 

This is not the *ONLY* long-term fix.

There has been very little mention of anti-SPOOF measures in this thread
which is surprising.

Granted, blocking directed broadcasts from entering your network prevents
you from being the "mid-point" of the attack.

The fact is that the SMURF attack couldn't even get off the ground if the
ISP for the "evil d00d" validated *OUTGOING* traffic, effectively blocking
IP SPOOFing. 

I would say that the scope of the IP SPOOFing problem is greater then any
other problem.

IP SPOOFing is *THE SOURCE* of all the major problems:

SYN-FLOOD
TEARDROP and variants
SMURF
What's Next???


Solutions:

Validate all traffic leaving your networks to be sure the IP source is
from one of your networks.

Everyone from the tier 1 providers on down should write that requirement
into all their connection agreements.

Further, the fact is that nearly *ALL* such attacks (attacks that use
IP-SPOOFing as a requirement) are launched from dial-up connections.

If would be relatively easy to have a *DRAMATIC* reduction in attacks if
the dialup equipment vendors would release software updates with *DEFAULT*
anti-spoof filters applied to dialup connections.

Put some pressure on your vendors, nearly all dialup ports are made by
either Lucent/Livingston, Ascend, and 3COM/USR.

I've been asking Livingston for two years for this feature.

Dax Kelson
Internet Connect, Inc.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault